Security Implications of Virtualization: A Literature Study Andre´ van Cleeff, Wolter Pieters, Roel Wieringa Information Systems Group University of Twente P.O. Box 217, 7500 AE Enschede, The Netherlands fa.vancleeff,w.pieters,[email protected] Abstract— Data centers accumulate corporate and personal understand the security impact of the virtualization technology data at a rapid pace. Driven by economy of scale and the as a whole. Under which circumstances does virtualization high bandwidth of today’s network connections, more and more improve security, and under which does it pose a threat? businesses and individuals store their data remotely. Server virtualization is an important technology to facilitate this process, A first step towards answering these questions is to dis- allowing dedicated hardware to be turned into resources that tinguish between different features of virtualization and show can be used on demand. However this technology is still under their interactions. In this paper we present a model consisting development and therefore, in spite of its increasingly important of five groups of features: (1) virtualization capable hardware, role, the overall security impact of virtualization is not yet (2) virtual machines, (3) management of virtual machines, completely known. To remedy this situation, we have performed a systematic liter- (4) management of physical servers running virtualization ature review on virtualization, and decomposed the virtualization software, and (5) emergent behavior. Based on a systematic technology into distinct features, which are dependent on each literature review, we aggregate the literature on the impact other, but also have individual positive and negative effects on of virtualization for each feature with respect to different security. security properties and show how these features fit together. Our study shows that, given adequate management, the core virtualization technology has a clear positive effect on availability, We conclude with an overview of how the security benefits but that the effect on confidentiality and integrity is less positive. can be maximized, from both a technical and a management Virtualized systems tend to lose the properties of location- point of view. boundedness, uniqueness and monotonicity. In order to ensure corporate and private data security, we propose to either remove II. BACKGROUND ON VIRTUALIZATION or tightly manage non-essential features such as introspection, A. Types of virtualization rollback and transfer. Generally, virtualization is a software layer that implements I. INTRODUCTION a (hardware) architecture. This layer provides a consistent Server virtualization, running many virtual servers on one interface that can be used to decouple software systems from physical machine, has become widespread in recent years. the hardware on which they are running, making them more Benefits include reduced power consumption, lower hardware portable and providing easier management. Different types of costs, as well as easier management. As for security, claimed components can be virtualized. For example, with resource improvements are the increased availability of applications virtualization, multiple harddisks are combined to one virtual and the isolation of processes. However, virtualization gives disk, whereas with machine virtualization, the instruction set much more possibilities. With introspection, the inside of of a CPU architecture is emulated on a real physical machine. a virtual machine can be examined, intervention gives the Likewise, network virtualization can use a physical switch to ability to modify a running virtual machine. Furthermore, create virtual network compartments. With respect to virtual physical servers equipped with virtualization software can now machines (VMs), the abstraction layer is called virtual machine be linked to each other, creating a whole new virtualization monitor (VMM). The VMM controls the VMs running on top infrastructure, making it possible to move virtual machines of it. There are different types of VMMs and a taxonomy from one physical server to another, while they are running. can be found in Smith and Nair. [1] In their terms, the Java Virtualization also has security drawbacks, such as exploitable Virtual Machine is of type process virtual machine, because weaknesses in virtualization software, the existence of covert it allows individual processes to run. In contrast, XenServer channels and the possibility of new types of malware. How- is a system virtual machine because entire operating systems ever, apart from these distinct threats, not so much is known (guests) can be run on top of it. System virtual machines about the overall security effect of virtualization. This is a can be further split into hosted VMMs (that run on top of serious issue, because virtualization is an important technology another host operation system) and classic VMMs (that run for data centers, Web 2.0 applications and new forms of on the bare hardware). Often, system VMMs also involve on-demand or “cloud” computing. In order to understand network virtualization, as the network connections between the security impact of those technologies, it is necessary to virtual machines can be configured in the VMM. Classic virtualization is often called server virtualization. VMMs can 8) Software distribution: software can be installed on one also be joined together, resulting in a virtualized infrastructure. virtual machine, which can be distributed as virtual In this infrastructure, capabilities such as load balancing and appliance, requiring few configuration changes. [3] the transfer of virtual machines between different physical In the remainder of the paper, we concentrate on the secu- servers are managed from a central location. We call this rity effects for running production applications, because here infrastructure and its management the “VMMM”, an acronym security concerns are the greatest. for virtual machine monitors’ management. In this paper, we focus on system virtual machines of the III. RESEARCH APPROACH classic type, and for the remainder of this paper we will simply A. Research design use the terms terms VM, VMM, VMMM, and virtualization The literature study is based on the method described by 1 when discussing system virtualization technologies . Webster and Watson. [6] Here, literature on a certain topic is B. Similarities with other technologies retrieved from well-known sources such as leading journals. After this iteration, additional literature is found by tracing VMMMs resemble computer clusters, computing grids and back the cited papers and forward towards conferences papers 2 mainframes . These systems are also comprised of multiple that cite the journal papers. Rather than discussing each disks and processors, forming a logical whole. The security article or author separately, the findings are presented concept- characteristics of virtualization are therefore also relevant for centric, meaning all literature on a certain concept is discussed these types of computing. A notable difference is that a cluster in one section. For this study, we began with a literature search is more often designed as a complete physical unit, whereas on Scopus3 yielding a total of 151 papers of which 46 were VMMMs are created ad hoc, out of existing machines that are relevant. Included journals were IEEE’s Computer as well as spread geographically. Utility or cloud computing can use any Security & Privacy. Another notable source was the ACM of these technologies, treating servers simply as resources, that VMSec’08 workshop on virtual machine security. Literature can be used for data storage and processing, regardless of their from other sources was also included, such as datasheets from physical location. For example, Amazon’s Elastic Compute virtualization product vendors such as VMware. Cloud (EC2) is known to be using the Xen VMM.[4, p. 5] The results are presented centered around specific features C. Usage of virtualization of virtualization, linking to earlier research on feature in- teraction in the telecommunications domain. There, a basic To evaluate the effects of virtualization, we distinguish phone system is extended with different features such as call between different types of usage. In the literature, several types forwarding and on-hold. When used together, these features of usage are found: can cause interactions with either desirable or undesirable 1) Software testing: a testbed is created with virtual ma- consequences. [7] chines. Decomposing virtualization has several benefits: firstly, the 2) Software evaluation: untrusted software is evaluated in a literature consists mainly of distinct security claims, arguing virtual machine. The VM thus functions as a “sandbox” how a specific feature affects security in a certain context. from which the software cannot escape. These claims can be aggregated together for each feature. 3) Running production applications: a business’s applica- By grouping claims together for each feature, and analyzing tions are placed inside VMs. them, we improve the understanding of the feature’s effect and 4) Desktop virtualization: rather then giving employees can identity the more fundamental effects. Secondly, regarding physical PCs, enterprises can provide them with a per- those claims that are not attributed to a specific feature, but sonal VM running on a central server. rather virtualization as a whole, we can attempt to trace their 5) Running an intrusion detection system